Shows

Show Info

Episode Info

Episode Info: What we’ve been doing
Chris
Vacation
Idea refinement & generation
John
Finding a job
Freelancing via Networking
Security in Open source
White Hat vs Black Hat
Accidental hackers
Stumbling upon a security issue because of another bug
All comes down to one thing: Responsible Disclosure
Don’t
Not posting publicly
Not via public Twitter
Not telling a bunch of friends
Don’t open a GItHub issue publicly
Do
Usually via an email address
Give examples and proof of concept
Be willing to work with the team
Ask even if you think it’s “dumb”
Places to provide disclosure
security@ email address
HackerOne
Contact Form
If it’s your project
Have a policy in place
How do you handle the commits
Do they get an issue
Do you log them for historical reference (privately)
Announcement schedule
How do you rate its seriousness?
Setup an email address (security@)
Examples
St Jude Pacemakers
WordPress 4.6.1
RevSlider
Undisclosed Company
How to know if your site is vulnerability?
Sucuri
https://wpvulndb.com/
Links to articles mentioned
WordPress docs on ‘Responsible Disclosure’ – https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
OWASP Rating Methods – https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_4:_Determining_the_Severity_of_the_Risk
MedSec Holdings & Muddy Watters St. Jude Pacemakers – http://fortune.com/2016/08/31/hacking-st-jude-pacemakers-flawed/
WordPress 4.6.1 Security Advisory –

Episode Info: What we’ve been doing
Chris
Vacation
Idea refinement & generation
John
Finding a job
Freelancing via Networking
Security in Open source
White Hat vs Black Hat
Accidental hackers
Stumbling upon a security issue because of another bug
All comes down to one thing: Responsible Disclosure
Don’t
Not posting publicly
Not via public Twitter
Not telling a bunch of friends
Don’t open a GItHub issue publicly
Do
Usually via an email address
Give examples and proof of concept
Be willing to work with the team
Ask even if you think it’s “dumb”
Places to provide disclosure
security@ email address
HackerOne
Contact Form
If it’s your project
Have a policy in place
How do you handle the commits
Do they get an issue
Do you log them for historical reference (privately)
Announcement schedule
How do you rate its seriousness?
Setup an email address (security@)
Examples
St Jude Pacemakers
WordPress 4.6.1
RevSlider
Undisclosed Company
How to know if your site is vulnerability?
Sucuri
https://wpvulndb.com/
Links to articles mentioned
WordPress docs on ‘Responsible Disclosure’ – https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
OWASP Rating Methods – https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_4:_Determining_the_Severity_of_the_Risk
MedSec Holdings & Muddy Watters St. Jude Pacemakers – http://fortune.com/2016/08/31/hacking-st-jude-pacemakers-flawed/
WordPress 4.6.1 Security Advisory –Read less